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==■  Software  Engineering  Institute  Carnegie  Mellon 


What  is  CERT? 


Center  of  Internet  security  expertise 


■  Established  in  1988  by  the  US  Department  of  Defense 
on  the  heels  of  the  Morris  worm  that  created  havoc  on 
the  ARPANET,  the  precursor  to  what  is  the  Internet 
today 


■  Located  in  the  Software  Engineering  Institute  (SEI) 

Federally  Funded  Research  &  Development  Center  (FFRDC) 

Operated  by  Carnegie  Mellon  University  (Pittsburgh, 
Pennsylvania) 
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==■  Software  Engineering  Institute  Carnegie  Mellon 


Who  is  a  Malicious  Insider? 


Current  or  former  employee,  contractor,  or  other 
business  partner  who 

■  has  or  had  authorized  access  to  an  organization’s  network, 
system  or  data  and 

■  intentionally  exceeded  or  misused  that  access  in  a  manner  that 

■  negatively  affected  the  confidentiality,  integrity,  or  availability  of 
the  organization’s  information  or  information  systems. 


CERT  Insider  Threat  Center 


■  A  decade  of  experience  in  the  insider  threat  area 

■  Sponsors  /  partners  include: 

■  US  Secret  Service 
Department  of  Homeland  Security 
Carnegie  Mellon  CyLab 

DoD  Personnel  Security  Research  Center 

■  DoD  and  Counterintelligence 

■  Office  of  the  National  Counterintelligence  Executive 
-  Air  Force  Research  Laboratory 

■  Defense  Industrial  Base  members 
Other  federal  agencies 
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Mission  of  the  CERT  Insider  Threat  Center 


Improve  the  preparedness  level  of  the  community  to 
prevent,  detect,  and  respond  to  insider  crimes 


Desired  impact: 

■  Organizations  will  have 

■  A  more  accurate  understanding  of  the  lifecycle  of  insider 
threats 

■  Improved  defenses  against  the  types  of  compromises  seen  in 
actual  cases 

■  Reduction  in  the  number  and  impact  of  insider  incidents 

■  National  security  should  improve  as  a  result 
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CERT  Insider  Threat  Center  Goals 


■  Identify  policies,  procedures,  and  technologies  that  can 
mitigate  the  risk  of  insider  threat 

■  Develop  and  validate  new  and  existing  insider  threat 
controls  (including  improved  automated  sensors) 

Transition  controls  and  influence  standards 
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Desired  State 


Understand_the  problem 


Develop  effective  strategies 


Deploy  the  tools 
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Current  State 


Understand_the  problem 


Deploy  the  tools 
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Current  Body  of  Work 


Cases 

Assessments 
Metrics 
Lit  Reviews 
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This  Presentation 


■  Starts  with  a  quick  overview  of  CERT’s  crime  profile  for 
insider  IT  sabotage 

■  Follows  with  demonstrations  based  on  actual  case 
examples  to  present  potential  countermeasures 

■  Then  you  can  compare  your  defensive  strategies  to  our 
controls,  and  determine  whether  your  existing  controls 
are  sufficient  to  prevent  and  detect  insider  attacks 
such  as  those  shown  in  the  case  studies. 
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Crime  Profile: 
Insider  IT  Sabotage 
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Summary  of  Findings  -  IT  Sabotage 


Current  or  former  employee? 

Former 

Type  of  position 

Technical  (e.g.,  system  or  database  admins  ) 

Gender 

Primarily  male 

Target 

Network,  systems,  or  data 

Access  used 

Unauthorized 

When 

Outside  normal  working  hours 

Where 

Remote  access 

Recruited  by  outsiders 

None 

Collusion 

None 
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MERIT  Model  of  Insider  IT 


MERIT  Model  of  Insider  IT 


Countermeasures: 
Insider  IT  Sabotage 
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Strategy  for  Prevention  of  Insider  IT 
Sabotage 


■  Need  to  prevent  creation  of  unknown  access  paths 

■  Sample  unknown  access  paths  in  the  cases: 

■  Planted  logic  bombs 

■  Created  backdoor  accounts 

-  Downloaded  and  installed  malicious  code  or  “hacker  tools” 
such  as  rootkits,  password  sniffers,  password  crackers  ,  viruses, 


■  Installed  remote  administration  tool 
Modified  logs  to  conceal  malicious  activity 

■  Disabled  anti-virus  and  planted  virus 

■  Why  is  prevention  so  difficult? 

■  Privileged  users  have  the  ability  to  override  system  controls 
without  detection 

■  Information  overload:  can’t  realistically  monitor  everything 
everyone  does  online 
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|  Software  Engineering  Institute  Carnegie  Mellon 


Solution  Strategies 


■  Implement  continuous  logging  and  centralized,  secure  log 
server. 

■  Detect  and  investigate  changes  that  should  occur 
infrequently,  such  as: 

Changes  to  operating  system  files,  scripts,  and  executables 

■  Changes  to  stable  production  systems 

■  Services  killed  on  host 

■  Audit  individual  actions  in  logs  for  privileged  accounts. 

■  Especially  for  insiders  who  are  “on  the  HR  radar” 

■  Targeted  Monitoring 

Audit  access  to  backup  information  and  the  results  of  backup 
and  recovery  tests  carefully.  This  is  vour  last  line  of  defense! 
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Demos 
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Demo  #3:  Keylogger 
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Application  to  Your  Organization 


In  the  first  three  months  following  this  presentation  you  should: 

■  Create  policies  and  processes  for  proactive  monitoring  of 
employees  with  privileged  access  who  are  “on  the  HR  radar” 

Create  an  incident  handling  plan  for  detection  and  response  to 
services  killed  on  hosts,  suspicious  changes  to  operating  system 
files,  and  modifications  to  stable  production  systems 

■  Within  six  months  you  should: 

Implement  and  consistently  enforce  employee  monitoring 
processes  defined  above 

Implement  incident  handling  plan  for  detection  and  response  to 
services  killed  on  hosts,  suspicious  changes  to  operating  system 
files,  and  modifications  to  stable  production  systems 

■  This  is  a  good  place  to  start  -  stay  tuned  for  what  to  do 
next! 
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Caveats 


■  We  only  have  data  on  criminals 

■  Our  findings/recommendations  could  result  in  a  high 
false- positive  rate. 

■  We  would  like  to  work  with  organizations  that  are 
willing  to  be  pilot  sites.  Please  contact  us. 

■  Monitoring  techniques  are  not  a  guarantee. 

■  In  the  event  of  a  missed  insider  attack,  these 
methods  will  be  tremendously  beneficial  for  incident 
response  and  forensic  analysis  teams. 

■  Consider  legal,  privacy,  and  policy  issues  before 
implementing  any  employee-monitoring  program. 
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Food  for  Thought 


■  Which  of  the  monitoring  techniques  we  present 
today  might  also  be  effective  in  detecting  external 
intruders  if  they  manage  to  gain  access? 

■  Could  controls  be  effective  against  both  insiders 
and  outsiders? 
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Points  of  Contact 


Technical  Manager 
CERT  Insider  Threat  Center 

Dawn  M.  Cappelli 
Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-3890 
+1  412  268-9136 -Phone 
dmc@cert.org  -  Email 


http://www.cert.org/insider 
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Team  Lead,  Insider  Threat  Technical 
Solutions  &  Standards 

Joji  Montelibano 
CERT  Insider  Threat  Center 
Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-3890 
+1  412  268-6946 -Phone 
jmm137@cert.org  -  Email 
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